Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2557e261f5...ba.exe

windows7-x64

10

2557e261f5...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 19:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2557e261f5b4611da5512ec6b2d5c1e90462fa7439b8714255d27e16a8474dba.exe

  • Size

    135KB

  • MD5

    52c98032c1d953c808a7fc2e1feb473d

  • SHA1

    06bf18a0965e34715c9d12f0fca123bad3a142d1

  • SHA256

    2557e261f5b4611da5512ec6b2d5c1e90462fa7439b8714255d27e16a8474dba

  • SHA512

    6663aee0e547dafa009c26e31351e20368d3a4ab98c20388b858b781f7d15c114354568b0acdcdec6f2802b3b050121634c161b71a1443c1e335d4bb3e3fb56b

  • SSDEEP

    3072:UVqoCl/YgjxEufVU0TbTyDDal5yUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU3:UsLqdufVUNDao

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2557e261f5b4611da5512ec6b2d5c1e90462fa7439b8714255d27e16a8474dba.exe
    "C:\Users\Admin\AppData\Local\Temp\2557e261f5b4611da5512ec6b2d5c1e90462fa7439b8714255d27e16a8474dba.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2504
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2564
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2648
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:43 /f
            5⤵
            • Creates scheduled task(s)
            PID:2540
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:44 /f
            5⤵
            • Creates scheduled task(s)
            PID:1520
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:45 /f
            5⤵
            • Creates scheduled task(s)
            PID:1096
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      94fef10c15ef770629cc7cc1ceefdfc6

      SHA1

      e901cebf961cc29f3d7dcb6acc94a61ca2f8783b

      SHA256

      5d2e6fc2b63af72f291ce981819ecc6ef761f0b71f8f1fb02632022b5d87d5b3

      SHA512

      b1f8e0d76769b10c61d9e30fd2dec4c54a659ae6d4810330c981f6800a01f81f480dd9023b2048f3cb40b41f6b7dfbc91d8e55a1cee2d5e823f9dd9c59fff330

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      3388d8340965b557b366e0f4c5655775

      SHA1

      7ed4d94104486ae5b7585264e434cfd633261876

      SHA256

      ab3d93cd5e43b5150aec6980d49014740c27a141c606e8ab7d4016c186abceac

      SHA512

      8188d63c5e022714a0f0c24f49b95fb173c5595dcacd2a500605e37c77b43afcdc4820c20cc0742b1770655327ee85ca484709f89e34a2b93ece94c6df10a3a8

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      011d5b6d778329377e620eac45f32a2b

      SHA1

      6d910575cc6747984947f0acb4bb6a5fb0e2237b

      SHA256

      a1210512d2600a0610fe351ec84b603ec5fe0890932e425ec7ef39a46483c10e

      SHA512

      b51f3f3699ba167670c3db2e9e1bade08886f79a9ebe9212de4c9ae2ec133ff1fff68f6be3f892cd953736880dd08a8e27e5261bf545f2b694e30c2917b2df6d

      Download Submit

    • memory/2372-23-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2372-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2504-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2504-10-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2504-44-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2564-38-0x0000000000390000-0x00000000003AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2648-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.